RE: CISSP-ISSMP

["Omar A. Herrera" <omar.herrera () oissg org>]

Now this at least makes some sense. Thanks Serge :-).


> -----Original Message-----
> From: Serge Vondandamo [mailto:serge.vondandamo () wanadoo fr]
>
> The opposite seems to be the case on this thread.
>
> IT LOOKS LIKE WHOEVER IS NOT CERTIFIED ARE GENIUS AND CERTIFIED ONES ARE
> DUMBOOS. :-)
>
> I will suggest the following cooking recipe:
>
> 1. Help the non-certified ones understand the value of the certification
> process (not the paper) and get them certified. This awareness should come
> from the certificate holders.
>
> 2. Help the certified ones with limited knowledge to fill the gap. This
> can
> be achieved by writing papers, organising webcasts, offering tips and free
> tutorials. This should come from the most experienced ones.

Every time this topic about the value of certifications/training/whatever
appears on the lists we end in never ending discussions with little or no
value at all.

Let's face it, we all know some certified people that are brilliant and very
capable and some that are well below of what most would consider as
professional standards. The same can be said about non-certified people.
Although we all know that certifications are not a panacea, none of us have
a clue of their real value.

If we are going to do such generalizations as: Certification X is totally
worthless and therefore all people with certification X cannot provide any
added value, or any similar statement involving non-certified people for
that matter, we better have proof of it.

If someone really wants to go that way then get a reasonable, objective and
reproducible way of measuring and comparing the results of both groups
(controlled environment), an adequate amount of data (results), an
appropriate method to select and involve participants (e.g. randomly
selection of certified and non-certified people with same years/areas of
experience), and apply the corresponding statistical analysis. 

For a controlled environment I would of course not suggest another test, but
some hands-on real cases to work with (e.g. pentest scenarios in the case of
certifications related to this subject) whose outcome would be to be
assessed against that of the most recognized professionals in the area.

That should give sustainable proof that getting a certain certification does
or does not add any value to the profession (and even how much value if any)
for once and for all, much the same way like pharmaceutical companies prove
how "on average" a certain drug is effective and not a mere placebo before
it is accepted for distribution.

But since it seems that so far nobody has done this (not in a rigorous form
at least) and that the information to do it does not yet exist, let us at
least be sensible enough and recognize that we just can't asses the general
value of any certification based only on our personal perceptions. 

That is my personal perception of this issue ;-)

Regards,

Omar Herrera


------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------